From patchwork Mon Jan 20 19:26:28 2014 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: David Herrmann X-Patchwork-Id: 3514231 Return-Path: X-Original-To: patchwork-dri-devel@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.19.201]) by patchwork2.web.kernel.org (Postfix) with ESMTP id CCB28C02DC for ; Mon, 20 Jan 2014 19:27:08 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id 15EF8200FF for ; Mon, 20 Jan 2014 19:27:08 +0000 (UTC) Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177]) by mail.kernel.org (Postfix) with ESMTP id 3DC5E2010E for ; Mon, 20 Jan 2014 19:27:07 +0000 (UTC) Received: from gabe.freedesktop.org (localhost [127.0.0.1]) by gabe.freedesktop.org (Postfix) with ESMTP id A4222FAF13; Mon, 20 Jan 2014 11:27:01 -0800 (PST) X-Original-To: dri-devel@lists.freedesktop.org Delivered-To: dri-devel@lists.freedesktop.org Received: from mail-bk0-f46.google.com (mail-bk0-f46.google.com [209.85.214.46]) by gabe.freedesktop.org (Postfix) with ESMTP id F3A82FAC2E for ; Mon, 20 Jan 2014 11:26:56 -0800 (PST) Received: by mail-bk0-f46.google.com with SMTP id r7so670655bkg.19 for ; Mon, 20 Jan 2014 11:26:56 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=GI/VPoZtFzddf+kEsK5LMLnrowoK4jUXUQ9/7XfnPv8=; b=MWJPAYABgnahzttN7/8a9of1fu9bkDD5TCqtk/Wqia7SMylsYf3T6NvFx4Lqt6DUGF EC8Jym/aPbruFXz3FGLInV8yQeDwu0YCIsPsheLEO1M2Xps2ZdBiwzA/pl6GKbDlhZmI pVDVVvITOmhIKyN4R3beCkTnj6TSZQxvVgQC9jksPeeRnO7sYFEFRnZKd/2c3dZ7snDG Vlq2hlrgAkcrwJtLIbnmn45YCcGidJU7ZW7VSBykTrngQp46bopxe6KQAF48WIW+UzLG 1xkV3/CBCTGvAigFljaYMl0EqSL6iXQFrfb6r1tIUv2c4kiEm62IX6jPBnL3MUT8rNls LZnw== X-Received: by 10.204.103.7 with SMTP id i7mr10942555bko.14.1390246016082; Mon, 20 Jan 2014 11:26:56 -0800 (PST) Received: from david-ub.localdomain (stgt-5f7292c1.pool.mediaWays.net. [95.114.146.193]) by mx.google.com with ESMTPSA id tf11sm1780282bkb.17.2014.01.20.11.26.54 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Mon, 20 Jan 2014 11:26:55 -0800 (PST) From: David Herrmann To: dri-devel@lists.freedesktop.org Subject: [PATCH 6/7] drm/crtc: add sanity checks to create_dumb() Date: Mon, 20 Jan 2014 20:26:28 +0100 Message-Id: <1390245989-13280-6-git-send-email-dh.herrmann@gmail.com> X-Mailer: git-send-email 1.8.5.3 In-Reply-To: <1390245989-13280-1-git-send-email-dh.herrmann@gmail.com> References: <1390245989-13280-1-git-send-email-dh.herrmann@gmail.com> Cc: Daniel Vetter X-BeenThere: dri-devel@lists.freedesktop.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: Direct Rendering Infrastructure - Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: dri-devel-bounces@lists.freedesktop.org Errors-To: dri-devel-bounces@lists.freedesktop.org X-Spam-Status: No, score=-4.6 required=5.0 tests=BAYES_00, DKIM_ADSP_CUSTOM_MED, DKIM_SIGNED, FREEMAIL_FROM, RCVD_IN_DNSWL_MED, RP_MATCHES_RCVD, T_DKIM_INVALID, UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Lets make sure some basic expressions are always true: bpp != NULL width != NULL height != NULL stride = bpp * width < 2^32 size = stride * height < 2^32 PAGE_ALIGN(size) < 2^32 At least the udl driver doesn't check for multiplication-overflows, so lets just make sure it will never happen. These checks allow drivers to do any 32bit math without having to test for mult-overflows themselves. The two divisions might hurt performance a bit, but dumb_create() is only used for scanout-buffers, so that should be fine. We could use 64bit math to avoid the divisions, but that may be slow on 32bit machines.. Or maybe there should just be a "safe_mult32()" helper, which currently doesn't exist (I think?). Signed-off-by: David Herrmann --- drivers/gpu/drm/drm_crtc.c | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/drivers/gpu/drm/drm_crtc.c b/drivers/gpu/drm/drm_crtc.c index 266a01d..ff647fa 100644 --- a/drivers/gpu/drm/drm_crtc.c +++ b/drivers/gpu/drm/drm_crtc.c @@ -3738,9 +3738,24 @@ int drm_mode_create_dumb_ioctl(struct drm_device *dev, void *data, struct drm_file *file_priv) { struct drm_mode_create_dumb *args = data; + u32 Bpp, stride, size; if (!dev->driver->dumb_create) return -ENOSYS; + if (!args->width || !args->height || !args->bpp) + return -EINVAL; + + /* overflow checks for 32bit size calculations */ + Bpp = (args->bpp + 7) / 8; + if (Bpp > 0xffffffffU / args->width) + return -EINVAL; + stride = Bpp * args->width; + if (args->height > 0xffffffffU / stride) + return -EINVAL; + size = args->height * stride; + if (PAGE_ALIGN(size) < size) + return -EINVAL; + return dev->driver->dumb_create(file_priv, dev, args); }